Running Cisco DNA Center? Update right now to get rid of the static admin credential

Switchzilla scrambles out patches for trio of nasty flaws

Cisco has issued updates to address a trio of critical vulnerabilities in its Digital Network Architecture (DNA) Center appliance.

The networking giant says DNA Center, a network management and administration box Cisco sells directly to customers, has three flaws that would each potentially allow an attacker to take over the appliance remotely.

Perhaps the most glaring of the flaws is the static administrator credentials Cisco somehow left coded into DNA Center. An attacker who had those credentials would, obviously, be able to completely take over the targeted appliance with ease.

UKFast bit barn yarn: 'Cisco switch glitch' leads to service ditch

"The vulnerability is due to the presence of undocumented, static user credentials for the default administrative account for the affected software," Cisco explains.

"A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands with root privileges."

This is something of a nagging, and embarrassing, problem for Cisco. Switchzilla was found back in March to have left static credentials in its IOS platform, and hardcoded passwords sitting around in other networking appliances in recent years.

That flaw, blamed on bad URL handling, would allow an attacker to embed attack code into a URL field and bypass login controls with "access to critical services".

Also patched was CVE-2018-0268, a vulnerability in DNA Center's handling of Kubernetes containers that would potentially allow an attacker to bypass security protections within the container instances themselves.

"An attacker who has the ability to access the Kubernetes service port could execute commands with elevated privileges within provisioned containers," Cisco writes.

"A successful exploit could result in a complete compromise of affected containers."

For all three bugs, Cisco is pushing out an update to DNA Center via its on-board System Updates tool. Admins will want to get version 1.1.3 to be sure they have all three security holes addressed. ®